Regardless of the type of victim, the aim of the attacker is always the same: infect the users’ systems and deny them access to their most valuable assets, such as confidential or corporate data. Typically, this is done by encrypting the most important documents, making them unreadable, until a ransom for the decryption key is paid. While the actual amounts that are paid are most likely much higher than what is known publicly, many millions of dollars have been reported to be paid each month by the victims to cybercriminals for restoring their critical data.

In this blog series, we focus on different aspects of this lucrative business. The first post looks into the delivery mechanisms for ransomware, which file types are commonly used for ransomware distribution, and how an infection typically takes place. In the follow-up posts, we will dive into evasion techniques used by recent ransomware families, and provide details of how this class of malware operates.

Delivery Mechanisms

The vast majority of ransomware attacks seen today are distributed using spam and phishing emails, or via compromised websites and “malvertising” (a practice where attackers use web advertisements to spread malicious code).

The below infographic compares the two basic mechanisms for delivering the ransomware payload, as well as the artifacts used as part of the attack:

Delivery via email: The left-hand side focuses on delivery via email. In this scenario, the attacker sends an email to victims, trying to trick them into opening a document attached to the email. In recent attack waves, we often see JavaScript (JS) files, Visual Basic (VB) scripts, Windows Script files (WSF), Scalable Vector Graphics (SVG) files, and, most frequently, Microsoft Office documents. While the latter is the easiest in terms of tricking a user into opening the attachment, it also requires additional social engineering tactics for convincing the victims to enable macro code execution (which is disabled by default).

Ransomware delivered via email: Social engineering used by Spora

Interestingly, when ransomware is delivered via Microsoft Office documents, we frequently see two types of techniques for communicating with the command-and-control (C&C) server for downloading the final payload: some variants execute a separate script (typically wscript.exe or powershell.exe), others implement the download directly via a macro in Microsoft Office (typically using an obfuscated VBA-based downloader). For the latter, C&C requests come from the context of Microsoft Office, which has an advantage over executing a separate script: these can be mitigated somewhat trivially by blacklisting the execution of untrusted processes (for example wscript.exe) via Software Restriction Policies. While such policies are usually only in place in tightly-controlled corporate environments, these may be the most-lucrative targets for an attacker.

Delivery via websites: The right-hand side in the infographic shows a typical infection via drive-by-download attacks. In this scenario, a user visits a compromised website (or follows a malicious advertisement) redirecting him (or her) to an Exploit Kit landing page, which triggers the installation of the ransomware payload.

In some cases, attackers make use of an additional layer, a so-called gate, between the infected website and the landing page. This gate allows the attacker to filter the potential victims by specific criteria, such as geo-location, browser user-agent, or request referrer. Depending on these criteria, the attacker can load the most applicable attack into the user’s environment. For example, it could detect and exploit unpatched 3rd party software (such as Flash Player or Java plugin), or trick the visitor into downloading and executing a payload directly via a social-engineering scheme. Below is one of the messages that prompts a victim to update the Chrome’s font by downloading an executable file:

Renting an Exploit Kit infrastructure, in turn, can be very costly (reported up to $7,000 per month), but is usually much more effective in the sense of stealth and flexibility (an attacker may choose a specific payload). The likelihood of a successful infection in case the system is not up-to-date is higher, as there is no need to lure a potential victim into assisting the attack since the malware will be delivered and installed silently without any user interactions once he/she visits an infected web-page.

File Type Distribution

Using the Lastline Knowledge Base, we can find what types of files are typically used for spreading different ransomware families. More specifically, we looked at files analyzed in Lastline datacenters in recent months that exhibited ransomware-specific behaviors as part of the analysis run. In an upcoming sequel in this blog series, we will take a more detailed look and describe how we classify such behavior.

It is interesting to see that a large portion of these attacks uses scripting languages (such as JavaScript and Windows Script Files) for the initial infection. Given these statistics, it does not come as a surprise that Google recently announced blocking JavaScript attachments in their Gmail service (likely targeting the email delivery described above).

Most frequent seen file types used by ransomware(January and February 2017)

The fact that ransomware is predominantly delivered via scripting languages may be a forecast of what we will see for future malware in general: a shift towards exploitation through scripting. This is because, unlike binary programs, script code is somewhat easier to obfuscate, which helps in defeating most traditional antivirus software. Furthermore, scripts are still less likely to be blocked on the network (e.g., when attached to an email). We will explore this concept much further in another follow-up post to this series.

Summary

Ransomware is a lucrative business and attackers can choose from an arsenal of delivery mechanisms for targeting their victims. In this first post in our series on Ransomware attacks, we explored the first stage of the attack chain, presenting various delivery mechanisms. In our next post, we will look at the common behaviors of this type of malware, and how the Lastline analysis system can use these commonalities to prevent this type of attack and protect users from losing valuable data.

Alexander Sevtsov is a Malware Reverse Engineer at Lastline. Prior to joining Lastline, he worked for Kaspersky Lab, Avira and Huawei, focusing on different methods of automatic malware detection. His research interests are modern evasion techniques and deep document analysis.